From 022213bb86e34a70d27a9e439ef3c7934cf77a62 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Tue, 17 Jun 2014 10:45:42 +0530 Subject: [PATCH 1/3] Adding some missing Null Checks. Added to avoid possible Null Pointer dereference. --- tinyxmlparser.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp index 9ea52ef..07c5041 100644 --- a/tinyxmlparser.cpp +++ b/tinyxmlparser.cpp @@ -1349,7 +1349,7 @@ const char* TiXmlComment::Parse( const char* p, TiXmlParsingData* data, TiXmlEnc if ( !StringEqual( p, startTag, false, encoding ) ) { - document->SetError( TIXML_ERROR_PARSING_COMMENT, p, data, encoding ); + if ( document ) document->SetError( TIXML_ERROR_PARSING_COMMENT, p, data, encoding ); return 0; } p += strlen( startTag ); @@ -1515,7 +1515,7 @@ const char* TiXmlText::Parse( const char* p, TiXmlParsingData* data, TiXmlEncodi if ( !StringEqual( p, startTag, false, encoding ) ) { - document->SetError( TIXML_ERROR_PARSING_CDATA, p, data, encoding ); + if ( document ) document->SetError( TIXML_ERROR_PARSING_CDATA, p, data, encoding ); return 0; } p += strlen( startTag ); From 1f9d97b6000dda85ce461f148b0fd2bcaac30da3 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Tue, 17 Jun 2014 11:15:14 +0530 Subject: [PATCH 2/3] Add missing Null check. In case if condition ad line 776 is false, value of errp_arg will be NULL which is dereference in call v_execute_function (S_name, u_variable, erpp_arg); at line 802. this causes crash. --- xpath_processor.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/xpath_processor.cpp b/xpath_processor.cpp index d8d3f81..4b62ef5 100644 --- a/xpath_processor.cpp +++ b/xpath_processor.cpp @@ -798,6 +798,7 @@ void xpath_processor::v_execute_one ( if (! o_skip_only) { S_name = S_pop_string (); + if (erpp_arg) v_execute_function (S_name, u_variable, erpp_arg); } } From ee586bb2df4ce73dec4af8e390a8f3ac56a19f82 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Tue, 17 Jun 2014 11:22:01 +0530 Subject: [PATCH 3/3] Avoid possible buffer overflow. sprintf can cause buffer overflow problem as it does not check length of src. snprintf takes only given no of bytes and hence avoids buffer overflow problem. --- lex_util.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lex_util.cpp b/lex_util.cpp index 756199e..7bea981 100644 --- a/lex_util.cpp +++ b/lex_util.cpp @@ -219,7 +219,7 @@ void v_assign_int_to_string (TIXML_STRING & S_string, int i_val) { char ca_int [80]; - sprintf (ca_int, "%d", i_val); + snprintf (ca_int, sizeof(ca_int), "%d", i_val); S_string = ca_int; } @@ -229,7 +229,7 @@ void v_assign_double_to_string (TIXML_STRING & S_string, double d_val) { char ca_int [80]; - sprintf (ca_int, "%f", d_val); + snprintf (ca_int, sizeof(ca_int), "%f", d_val); while (ca_int [strlen (ca_int) - 1] == '0') ca_int [strlen (ca_int) - 1] = 0; if (ca_int [strlen (ca_int) - 1] == '.')